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Abstract 

Symbolic  Model  Checking  extends  the  scope  of  verification  algorithms  that  can 
be  handled  automatically,  by  using  symbolic  representations  rather  than  explicitly 
searching  the  entire  state  space  of  the  model.  However  even  the  most  sophisti¬ 
cated  symbolic  methods  cannot  be  directly  applied  to  many  of  today’s  large  designs 
because  of  the  state  explosion  problem.  Approximate  symbolic  model  checking  is 
an  attempt  to  trade  off  accuracy  with  the  capacity  to  deal  with  bigger  designs. 
This  paper  explores  the  idea  of  \asing  overlapping  projections  as  the  underlying  ap¬ 
proximation  scheme.  The  idea  is  evaluated  by  applying  it  to  several  modules  from 
the  I/O  unit  in  the  Stanford  FLASH  Multiprocessor,  and  some  larger  circuits  in 
ISCAS89  benchmark  suite. 


1  Introduction 

The  ability  to  enumerate  the  set  of  states  reachable  from  a  certain  state, 
and  the  ability  to  enumerate  the  set  of  states  that  can  reach  a  certain  state 
are  essential  to  many  model  checking  algorithms.  Binary  Decision  Diagrams 
(BDDs)  [2]  have  proved  to  be  a  viable  data  structure  for  doing  symbolic  reach¬ 
ability  on  larger  hardware  designs  than  before.  However  for  many  large  design 
examples,  even  the  most  sophisticated  BDD-based  verification  methods  can¬ 
not  produce  exact  results  because  of  size  blowup.  However,  required  properties 
of  a  design  rarely  rely  on  every  implementation  detail  of  the  design,  so  ap¬ 
proximate  verification  algorithms  may  yield  meaningful  results  while  handling 
larger  designs. 

^  This  work  was  supported  by  DARPA  contracts  DABT63-94-C-0054  and  DABT63-96-C- 
0097.  The  content  of  this  paper  does  not  necessarily  reflect  the  position  or  the  policy  of  the 
Government  and  no  official  endorsement  should  be  inferred. 
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We  axe  interested  in  safety  properties  that  hold  for  every  member  of  a  set 
S  of  states.  A  superset  Sap  of  S  is  called  an  overapproximation  of  S.  Although 
Sap  may  be  larger  than  S,  it  may  also  have  a  smaller  representation,  so  the 
computation  of  Sap  may  be  more  efficient  than  S.  If  every  state  in  Sap  satisfies 
a  property,  we  can  be  sure  that  every  state  in  S  also  satisfies  the  property. 
Hence,  a  sufficiently  accurate  approximation  can  yield  a  useful  result. 

The  approximation  used  is  based  on  overlapping  projections  of  sets  of 
states.  A  set  of  states  is  represented  by  a  list  of  HDDs,  each  element  of 
the  list  constrains  possibly  overlapping  subsets  of  the  state  variables,  The 
projection  of  a  set  S  of  bit  vectors  onto  a  set  of  one-bit  variables,  wj,  is  the 
(larger)  set  of  bit  vectors  that  match  some  member  of  S  for  all  variables  in 
Wj  (the  values  of  other  variables  are  ignored).  S  can  be  approximated  by 
projecting  it  onto  many  different  subsets  of  the  variables,  and  considering  Sap 
to  be  the  intersection  of  all  of  the  approximations. 

The  idea  is  evaluated  on  several  control  modules  from  a  real,  large  design 
unit  in  the  Stanford  FLASH  Multiprocessor,  with  promising  results.  Proper¬ 
ties  in  the  design  were  either  shown  to  hold  for  all  reachable  states,  or  actual 
violations  were  proved  to  exist  in  the  exact  reachable  state  space  (some  vio¬ 
lated  assertions  resulted  from  omitting  constraints  on  the  possible  inputs  to 
the  design). 


2  Related  Work 

At  a  high  level,  this  work  is  quite  similar  to  that  of  Wong-Toi,  et  al.  [8], 
who  used  successive  forward  and  backwards  overapproximations  and  under¬ 
approximations  to  verify  real-time  systems.  That  work  used  polyhedra  for 
representing  sets  of  real  numbers  along  with  HDDs,  but  approximation  was 
used  only  for  the  polyhedra,  not  for  the  HDDs. 

Various  approaches  to  approximate  reachability  and  verification  using  HDDs 
have  preceded  this  work.  Ravi  et  al  [16]  use  “high  density”  HDDs  to  compute 
an  underapproximation  of  the  forward  reachable  set.  Cho  et  al  [5]  proposed 
symbolic  forward  reachability  algorithms  that  induce  an  overapproximation. 
They  partition  the  set  of  state  bits  into  mutually  disjoint  subsets,  and  do  a 
symbolic  forward  propagation  on  individual  subsets.  Cabodi  et  al  [4]  com¬ 
bine  approximate  forward  reachability  with  exact  backward  reachability.  Lee 
et  al  [14]  propose  “tearing”  schemes  to  do  approximate  symbolic  backward 
reachability.  They  also  partition  the  set  of  state  bits  into  mutually  disjoint 
subsets.  They  form  the  block  sub-relations  for  the  various  subsets,  and  then 
incrementally  “stitch”  the  block  sub-relations  together  until  the  approximated 
next  state  relation  is  accurate  enough  to  prove  or  disprove  a  given  property. 
In  contrast  to  the  approaches  in  [16]  we  are  interested  in  computing  overap- 
proximations  (supersets).  In  contrast  to  the  approaches  in  [4,5,14],  we  allow 
for  overlapping  subsets,  as  overlapping  projections  have  been  shown  [10]  to  be 
a  more  refined  approximation  compared  to  earlier  schemes  based  on  disjoint 
partitions. 


Govindaraju 


3  Background 

We  analyze  synchronous  hardware,  given  as  a  Mealy  machine  M  =  {x,  y,  go,  n) , 
where  x  =  {xi, . . . ,  x*}  is  the  set  of  state  variables,  and  y  is  the  set  of  input 
signals.  We  will  use  x'  =  {x[, . . .  ,x'^}  to  denote  the  next  state  versions  of 
the  corresponding  variables  in  x  =  {xi, . . . ,  x*,}.  The  set  of  states  is  given  by 
[x  B],  where  B  =  {0,1}.  The  initial  state  Qq  E  [x  B].  The  next  state 
function  is  n  :  [x  — >  x  [y  B]  [x  — B]. 

In  our  applications,  sets  can  be  viewed  as  predicates,  since  we  can  form  the 
characteristic  function  corresponding  to  a  set.  BDDs  can  be  used  to  represent 
predicates  and  manipulate  them  [3].  For  example,  let  R(x)  be  a  predicate 
with  support  in  x,  we  can  compute  the  image  of  R  under  n  as 

Im(R(x),  n(x,  y))  =  Ax'.3x,  y.(x'  =  n(x,  y))  A  R(x). 

Let  y  be  a  user  specified  property,  and  g  denote  the  complement  of  g.  Then 
the  preimage  of  g(x),  ie  the  set  of  states  that  can  reach  a  state  violating  the 
property  g  in  one  step,  can  be  computed  as  follows: 

Fre(g,  n)  =  Ax.3x',  y.(x'  =  n(x,  y))  A  g(x'). 

3. 1  Approximation  by  Projections 

Let  w  =  (wi, . . .  ,Wp)  be  a  collection  of  not  necessarily  disjoint  subsets  of  x. 
(Each  subset  will  be  referred  to  as  a  block).  We  define  the  operator  aj{R) 
which  projects  a  predicate  R{x)  onto  the  variables  in  Wj.  Let  z  consist  of  all 
of  the  Boolean  variables  in  x  that  are  not  in  Wj.  We  can  define  aj  as 

aj{R{z,Wj))  =  Xwj.3z.R{z,Wj). 

Clearly  the  set  of  Boolean  vectors  satisf3ang  jR  is  a  subset  of  those  satisfying 
aj{R).  This  can  be  written  using  logical  implication  as  ->  aj{R).  The 
projection  operator  a  projects  a  predicate  R{x)  onto  the  various  Wj%  and  its 
associated  concretization  operator  7  conjoins  the  collection  of  projections. 

a{R{x))  =  (Q!i(i2), . . . ,  ap{R)). 

7(i2i, . . . ,  Rp) = yy  Rj. 

j=l 

Lemma  3.1  For  every  predicate  R(x)  and  collection  of  subsets  {wi, . .  .,Wp) 
of  X,  R-^  7(Q!(i2)). 

The  proof  for  this  lemma  is  simple  since  R  — >  aj  (R)  for  all  j.  Thus  projecting  a 
predicate  R  onto  a  collection  of  subsets,  and  then  concretizing  the  projections 
by  7  results  in  an  overapproximation. 

It  is  interesting  to  note  that  the  pair  of  functions  (a,  7)  form  a  Galois 
connection  [7]  between  the  partially  ordered  set  describing  the  concrete  space 
([x  — >  B],  C)  and  the  poset  describing  the  abstract  space  {V{[wi  — )^  B])  x  . . .  x 
Vdwp  B]),C)  where  V{S)  denotes  the  power  set  of  S,  and  the  ordering 
relation  for  the  abstract  space  is  defined  as  {Ri, . . . ,  Rp)  C  {Si,...,Sp)  iff 

Vze  [l...al  it:  c  Si. 
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Let  R  =  {Ri, . . Rp)  and  S  =  (^i, . . . ,  Sp)  be  two  tuples  of  equal  size.  We 
define  the  meet  (□)  and  join  (U)  operator  between  R  and  S  as  follows: 

(ill,  •  •  •  >  Rp)  n  (‘S'l, . . . ,  Sp)  =  (ill  A  <Si, . . . ,  Rp  A  Sp) 

{Ri,...,Rp)  U  (^I,.  ..jS'p)  =  (ili  V  5i,. . .  jilpV  5p) 

Given  the  ordering  relation  (C)  in  the  abstract  domain,  it  is  easy  to  verify  that 
the  join  operator  returns  the  least  upper  hound,  and  meet  returns  the  greatest 
lower  bound  of  the  two  elements  R  and  S  in  the  abstract  domain.  Further 
7(R)  U  7(S)  C  7(R  U  S),  which  makes  the  join  operator  an  approximation  of 
set  union.  (However,  the  meet  operator  is  an  exact  set  intersection  operator, 
since  7(R)nT(S)=7(RnS)). 

The  operator  a  allows  us  to  represent  a  big  BDD  with  support  in  x  by 
a  tuple  of  potentially  smaller  BDDs  with  limited  support,  at  the  cost  of  loss 
of  accuracy.  7  can  potentially  result  in  a  bigger  BDD  with  bigger  support, 
hence  we  would  like  to  avoid  computing  7(ili, . . .  ,ilp)  explicitly.  Let  I map 
(the  subscript  ap  denotes  “approximate”)  return  the  projected  version  of  the 
image  of  an  implicit  conjunction  of  BDDs,  and  let  PrCap  return  the  projected 
version  of  the  preimage  of  an  implicit  conjunction  of  BDDs. 

/mop(R,  n)  =  0!(/m(7(R),  n(x,  y))) 

PrCapCR,  n)  =  a{Pre{j(R),n{x,  y))) 

Using  /mop,  we  can  compute  an  overapproximation,  FwdReachap{qo),  of 
the  reachable  states  for  a  machine  M.  Analogously  using  PrCap,  we  can  com¬ 
pute  an  overapproximation,  BackReachap{g),  of  the  set  of  states  in  M  that 
can  reach  the  set  of  states  g  as  follows: 

FwdReachapiqo)  =  Ifp  R.(q!(9o)  U  /mop(R,  n)) 

BackReachapig)  =  Ifp  R.(a(^)  U  Preop(R,  n)) 
where  Ifp  is  a  least  fixed  point  iteration  [3]  which  starts  with  R  =  (0, . . . ,  0), 
and  on  each  iteration  joins  the  current  approximate  set  with  the  approximate 
successor  set.  Finally  after  reaching  convergence,  it  returns  a  tuple  R  to 
FwdReachapiqo)  or  BackReachapig)  the  case  may  be.  The  approximate  set 
of  states  that  can  be  reached  is  the  implicit  conjunction  'jiFwdReachapiqo)) • 
The  approximate  set  of  states  that  can  reach  g  is  is  the  implicit  conjunction 
jiBockReachap  ig) )  ■ 

Using  Lemma  1  and  monotonicity  of  Im  and  Pre  functions,  it  can  be 
shown  that  the  derived  functions  I  map  and  PrCap  have  the  property 

/m(il(x),n)  C  /m(7(a!(/l(j:))),  n)  C  7(/mop(a:(/l(x)),  n)) 

Fre(/l(x),n)  C  Pre(7(a(il(x))),  a)  C  7(Preap(Q!(P(x)),  n)) 

The  proof  that  FwdReachap  (and  BackReachap)  are  overapproximations  (su¬ 
persets)  follows  trivially.  These  operators  give  us  exact  results  in  the  special 
case  when  there  is  just  one  subset,  wi  =  x,  in  the  collection  w. 

4  Overlapping  Projections 

Our  scheme  for  choosing  the  collection  of  subsets  is  presently  manual.  Of 
course,  it  would  be  desirable  to  automate,  fully  or  partially,  the  choice  of 
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subsets  and  we  are  working  on  developing  good  heuristics  to  do  so.  Our 
present  heuristic  [10]  tries  to  put  interacting  finite  state  machines  (FSMs) 
together  in  one  subset.  Often  a  master  FSM  communicates  with  a  number 
of  other  slave  FSMs.  This  is  captured  by  having  blocks,  where  the  master 
is  paired  with  each  of  its  slaves  in  different  blocks.  Occasionally  two  rather 
big  state  machines  have  a  small  interface,  which  can  be  captured  by  adding 
bits  through  which  the  two  machines  communicate  to  the  subsets  having  the 
corresponding  FSMs. 

4-1  Computing  IrUap  by  Multiple  Constrain 

The  key  step  in  our  approximate  forward  propagation  is  computing  Imap- 

/map(R,  n)  =  (5i,  ...,Sp)  =  Q;(/m(7(R),  n(x,  y))) 

We  would  like  to  be  able  to  compute  the  Sj’s  separately,  without  comput¬ 
ing  /m(7(R),n).  Clearly  Sj  can  only  depend  on  the  next  state  functions 
of  the  variables  appearing  in  the  block,  Wj  in  w.  Let  Q'j(ii)  be  the 
subset  of  predicates  determining  the  next  state  for  the  bits  in  Wj.  Clearly, 
Sj  =  /m(7(R),Q!j(ii)). 

To  avoid  unnecessary  BDD  blowup,  we  want  to  avoid  the  explicit  conjunc¬ 
tion  7(R).  Sj  can  be  computed,  by  forming  the  next  state  relation  for  block 
Wj  and  using  early  quantification  [3].  However  this  did  not  work  when  we 
tried  it  on  our  larger  examples.  Instead  Coudert  and  Madre  [6]  have  shown 
how  to  compute  the  image  of  a  Boolean  function  vector,  using  the  generalized 
cofactor  (also  called  constrain)  operator  (4-).  (/  4-  9){^)  has  the  same  value  as 
f{x)  when  ^(x)  holds,  and  usually  results  in  a  smaller  BDD  than  /. 

Coudert  and  Madre  [6]  show  that  a!j(n))  =  Im{l,aj{n)  7(R)). 

To  avoid  computing  the  large  BDD  for  7(R),  it  is  tempting  to  compute  Q'j(n)  4- 
4-  jR2  •  •  •  4-  Rp-  This  works  [15]  well  if  the  supports  of  Ri’s  axe  disjoint. 
However  since  we  have  overlapping  subsets,  the  naive  method  is  incorrect  [10]. 

Instead,  for  overlapping  projections,  we  use  the  method  of  multiple  con¬ 
strain  [10].  Let  {zi,...,  Zp)  be  dummy  state  bits  with  corresponding  next  state 
functions  {Ri, . . . ,  Rp).  The  multiple  constrain  method  relies  on  the  following 
key  observation 

/m(7(Ri, . . . ,  Rp),  aj(n))  =  /m(l,  [aj(n),  Ri,...,  Rp])  4  zi  i  Z2 . . .  4  Zp 

We  can  optimize  on  the  usual  recursive  co-domain  partitioning  algorithm  [6] , 
by  avoiding  computing  the  parts  of  the  range  that  will  be  discarded.  The  al¬ 
gorithm  Irumc  described  below  implements  the  required  function  Imap-  (A 
more  detailed  treatment  is  given  in  [10]). 

function  ImmdiRu  ...,Rp),{ni,...,  Um)) 

V  ^  [ni, . . .  ,nm,  Ri,  -  -  - ,  Rp] 

for  j=p  down  to  f  by  i  do 

V  ■<—  V  4.  v[m  +  j] 

endfor 

return  /m(l,  {t^[l], . . . ,  t^[m]}) 
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5  Using  Auxiliary  Variables  to  refine  Iruap  and  Prcap 

The  previous  schemes  can  be  further  improved  upon  by  augmenting  the  set 
of  state  variables  with  some  auxiliary  state  variables.  An  auxiliary  variable 
is  an  internal  state  component  that  is  added  to  the  implementation  with¬ 
out  affecting  the  externally  visible  behavior.  The  idea  of  augmenting  a  legal 
implementation  with  some  extra  state  components  in  a  way  that  places  no 
constraints  on  the  behavior  of  the  implementation  is  not  entirely  new.  Abadi 
and  Lamport  [1]  introduced  a  special  class  of  auxiliary  variables,  history  md 
prophecy  variables,  to  broaden  the  applicability  of  refinement  mapping  tech¬ 
niques.  We  use  auxiliary  state  variables  [12]  to  broaden  applicability  of  ap¬ 
proximate  reachability  techniques. 

5.1  Converting  Internal  Wires  to  Auxiliary  State  Variable 

We  look  for  important  internal  conditions  in  the  combinational  logic  and  con¬ 
vert  them  to  auxiliary  variables.  An  auxiliary  variable  is  useful  because  it 
captures  important  properties  of  many  state  variables  into  a  single  new  state 
bit.  This  can  be  added  to  the  other  subsets  to  capture  correlation  between 
many  state  variables,  even  as  the  number  of  variables  in  different  subsets  is 
small. 

We  make  use  of  auxiliary  variables  by  converting  them  to  state  variables. 
To  assign  a  next  state  function  to  an  auxiliary  variable,  we  get  the  fanin  cone 
for  the  internal  wire  it  corresponds  to.  (A  fanin  cone  of  a  wire  is  obtained  by 
topologically  moving  back  from  the  wire  and  grabbing  all  the  logic  that  feeds  to 
it  until  we  hit  a  flop  boundary  or  an  input  boundary).  Let  f{x)  be  the  Boolean 
function  for  cone  of  logic  feeding  into  a  wire,  called  foo.  Recall  that  n  is  the 
next  state  functions  for  the  usual  state  variables  x.  The  next  state  function 
for  auxiliary  state  variable  foo  is  obtained  by  substituting  the  corresponding 
next  state  function  from  n  for  each  state  variable  in  the  support  of  f{x).  This 
has  the  effect  of  retiming  the  internal  wire  foo.  (The  initial  condition  for 
auxiliary  state  variable  foo  is  set  by  the  image  computation  Im{qo,f)).  This 
construction  is  possible  for  only  those  internal  wires  whose  fanin  cones  involve 
just  state  variables  and  no  inputs. 

This  limitation  can  be  circumvented  by  including  the  inputs  as  part  of  the 
state  (as  in  a  Kripke  structure).  We  never  used  this  for  any  of  our  results 
here,  but  the  Mealy  machine  M  =  {x,y,qo,n),  can  be  transformed  to  M'  = 
{x',y',qfQ,  n'),  where  x'  =  x(Jy  and  qQ  =  qo-  The  y'  component  is  a  set  with  a 
primed  version  for  each  variable  in  y.  The  next  state  function  for  the  x  state 
variables  remains  the  same,  but  for  the  y  variables,  it  is  the  corresponding 
input  variable  from  y'.  Assuming  totally  unconstrained  input  environment, 
M  and  M'  allow  the  same  externally  visible  behaviors.  However  M'  allows  us 
more  flexibility  in  choosing  auxiliary  state  variables. 

Our  scheme  for  choosing  which  internal  abstractions  to  convert  to  auxiliary 
state  variables  is  presently  manual,  and  relies  on  being  able  to  inspect  the  RTL 
source.  We  believe  it  helps  to  look  at  the  RTL  source,  because  designers  often 
create  internal  abstractions  themselves,  while  coding  up  their  design  using  a 
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hardware  description  language  (such  as  Verilog).  Hence  we  can  take  leverage 
off  this  high  level  information  directly  by  inspecting  the  RTL  description.  We 
presently  look  for  internal  wires  in  the  RTL  description  that  have  many  state 
variables  in  their  fanin  support.  More  details  on  our  heuristic  can  be  obtained 
from  [12}. 

6  Refinement 

An  overapproximation  of  the  states  that  lie  on  a  path  from  the  initial  state  qq 
to  a  state  not  satisfying  a  user-specified  property  g  is  computed  by  repeated 
forward  and  backwards  passes,  until  the  approximation  no  longer  improves. 

function  BackAndForth  (5) 

Rf  -f-  (0, . . . ,  0) 

R-b  <—  (1>  •  •  •  >  1) 
while  (Rf  ^  Rb)  do 

Rf  ■<-  Ifp  R.(q;(9o)  LI  (J77iQp(R,n)  nRb)) 
if  (7(Rf)  ->  g)  return  “no  errors” 

Rb  Ifp  R.(q!(5)  U  (Freop(R,n)  nRf)) 
if  (7(Rb)  A  qq  =  0)  return  “no  errors” 
endwhile 
return  Rf 

The  tests  7(Rf)  ->  g  and  7(Rb)  A  go  =  0  can  be  performed  without  com¬ 
puting  the  explicit  conjunctions  of  the  BDDs  in  Rf  and  Rb  by  computing 
images,  using  the  method  of  multiple  constrain  [10].  7(Rf)  g  holds  iff 
Im{'y(Il),g)  =  {!},  and  (7(R)  A90)  =  ^  iff  =  {0}-  If  BackAnd¬ 

Forth  is  unable  to  prove  the  desired  property  5,  it  is  often  possible  to  run  it 
again  with  larger  blocks  of  variables  in  w. 

6. 1  Counterexamples 

If  BackAndForth  reports  a  possible  error,  it  is  useful  to  check  whether  there 
is  an  actual  error  by  generating  an  example  path  from  qq  to  a  state  that 
does  not  satisfy  g.  This  both  confirms  the  existence  of  an  error  and  provides 
debugging  information  to  the  user.  In  exact  reachability  analysis,  if  an  error 
state  is  reachable  from  an  initial  state,  it  is  straightforward  to  construct  a 
specific  path  from  the  initial  state  to  an  error.  But  in  approximate  analysis, 
such  a  path  may  not  exist.  More  subtly,  the  algorithm  may  have  found  a  real 
error  via  a  non-existent  path.  A  simple  search  method  was  implemented  for 
counterexample  generation  which  worked  well  on  examples. 

Starting  from  the  error  states,  the  algorithm  computes  approximate  preim¬ 
ages  and  stores  the  preimages  obtained  at  the  various  iterations  of  the  fixpoint 
algorithm  in  a  stack.  Let  To,Ti, . . .  ,r,n  (where  Tm  intersects  with  the  error 
states)  be  the  final  contents  of  the  stack,  and  let  Ti  be  the  first  level  at  which 
the  approximate  preimage  intersects  with  the  initial  state  Qq.  Choose  a  single 
state,  So  from  the  intersection  qoATi  and  compute  an  exact  image  of  sq.  If  the 
image  of  So  intersects  with  Tm  ,  choose  a  single  state  s\  from  the  intersection 
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and  continue  moving  forward.  It  is  also  possible  that  the  image  of  some  state 
Si  in  layer  Tj  may  lie  entirely  in  Tj  and  not  intersect  with  at  all  (implying 
Tj+i  is  approximately  reachable  from  sj  but  not  exactly  reachable  from  sj), 
in  which  case,  randomly  choose  another  state  si+i  from  the  image  of  sj  and 
continue  trying  to  move  to  the  next  layer  in  the  stack.  If  the  algorithm  spends 
more  tham  10  steps  at  the  same  layer,  it  aborts  and  reports  that  it  could  not 
find  a  counterexample. 

This  simple  algorithm  has  worked  well  on  proving  local  safety  properties 
over  the  individual  submodules  of  FLASH  I/O,  but  often  fails  when  we. prove 
global  safety  properties  over  the  complete  design.  We  are  currently  working 
on  improving  this  and  looking  for  ways  to  improve  the  approximations  when 
the  counterexample  generation  gets  stuck. 

7  Experiments 

The  experimental  implementation  of  the  method  was  in  LISP,  calling  David 
Long’s  BDD  package  (implemented  in  C)  via  the  foreign  function  interface. 
The  method  was  evaluated  on  a  collection  of  control  circuits  from  the  MAGIC 
chip,  a  custom  node  controller  in  the  Stanford  FLASH  multiprocessor  [13]. 
For  comparison  with  earlier  work,  we  also  present  our  results  when  applied  to 
the  ISCAS89  benchmark  suite. 

Approximate  Forward  Reachability:  In  the  case  of  sl3207  circuit  from  the 
ISCAS-89  benchmark  suite,  earlier  approximate  schemes  based  on  disjoint 
partitions  [5]  resulted  in  a  superset  with  a  satisfying  fraction  of  3.42e-106, 
whereas  our  scheme  with  overlapping  projections  resulted  in  a  tighter  superset 
with  a  satisfying  fraction  of  1.13e-115,  which  represents  an  improvement  by 
3.3e+08.  Similarly  in  case  of  s38584,  results  with  overlapping  projections 
were  better  by  a  factor  of  8.8e+15.  A  more  detailed  listing  of  the  results 
we  obtained  on  the  other  circuits  from  the  ISCAS89  suite  and  the  results  on 
the  FLASH  I/O  modules  is  given  in  [10].  Further  on  adding  auxiliary  state 
variables  the  results  obtained  by  overlapping  projections  over  the  usual  state 
variables  alone,  was  further  improved  by  at  least  an  order  of  magnitude.  More 
details  on  the  results  obtained  with  auxiliary  state  variables  are  in  [12]. 

Approximate  Forward  and  Backward  Reachability:  We  applied  our  approxi¬ 
mate  forward  and  backward  routines  to  prove  some  designer  provided  invariant 
properties  on  various  submodules  in  FLASH  I/O.  Out  of  20  properties,  the 
approximation  scheme  was  able  to  prove  13  of  them,  and  present  counterex¬ 
amples  for  the  remaining  7.  (More  details  on  the  results  with  the  modules  in 
FLASH  I/O  can  be  obtained  from  [11]). 

Proving  global  properties  on  a  big  design:  We  have  also  applied  our  al¬ 
gorithm  to  prove  some  more  global  properties  over  FLASH  I/O.  Using  the 
lossless  cone-of-influence  reduction,  we  are  able  to  reduce  the  original  design 
(nearly  2400  state  variables)  to  the  order  of  200  state  variables.  By  doing  ap¬ 
proximate  reachability  over  these  200  variables  using  overlapping  projections, 
we  have  been  able  to  prove  3  global  invariants  and  disprove  2  others  with  a 
valid  counterexample.  However  there  is  still  more  to  be  done  before  designs 
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of  this  size  can  be  directly  handled  by  our  model  checker. 
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